From: bugreport%peshkin.net <> Date: Mon, 12 Jul 2004 10:48:45 +0000 (+0000) Subject: Backing out bug 241900 X-Git-Tag: bugzilla-2.18rc2~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=abdd4eba8b321e66d9a86d2d3592893f69632618;p=thirdparty%2Fbugzilla.git Backing out bug 241900 --- diff --git a/Bugzilla.pm b/Bugzilla.pm index 84cc2d721a..5cee520c7f 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -18,7 +18,6 @@ # Rights Reserved. # # Contributor(s): Bradley Baetz -# Erik Stambaugh # package Bugzilla; @@ -53,10 +52,6 @@ sub user { return $_user; } - - -my $current_login_method = undef; - sub login { my ($class, $type) = @_; @@ -71,18 +66,12 @@ sub login { $type = LOGIN_NORMAL unless defined $type; - # Log in using whatever methods are defined in user_info_method - - my $userid; - for my $method (split(/,\s*/, Param('user_info_method'))) { - require "Bugzilla/Auth/Login/" . $method . ".pm"; - $userid = "Bugzilla::Auth::Login::$method"->login($type); - if ($userid) { - $current_login_method = "Bugzilla::Auth::Login::$method"; - last; - } - } + # For now, we can only log in from a cgi + # One day, we'll be able to log in via apache auth, an email message's + # PGP signature, and so on + use Bugzilla::Auth::CGI; + my $userid = Bugzilla::Auth::CGI->login($type); if ($userid) { $_user = new Bugzilla::User($userid); @@ -108,14 +97,11 @@ sub logout { } $option = LOGOUT_CURRENT unless defined $option; - # $current_login_method is defined when the user's login information is - # found. If it's not defined, the user shouldn't be logged in. - if ($current_login_method) { - $current_login_method->logout($_user, $option); - if ($option != LOGOUT_KEEP_CURRENT) { - $current_login_method->clear_browser_cookies(); - logout_request(); - } + use Bugzilla::Auth::CGI; + Bugzilla::Auth::CGI->logout($_user, $option); + if ($option != LOGOUT_KEEP_CURRENT) { + Bugzilla::Auth::CGI->clear_browser_cookies(); + logout_request(); } } @@ -123,9 +109,8 @@ sub logout_user { my ($class, $user) = @_; # When we're logging out another user we leave cookies alone, and # therefore avoid calling logout() directly. - if ($current_login_method) { - $current_login_method->logout($_user, LOGOUT_ALL); - } + use Bugzilla::Auth::CGI; + Bugzilla::Auth::CGI->logout($user, LOGOUT_ALL); } # just a compatibility front-end to logout_user that gets a user by id @@ -142,7 +127,7 @@ sub logout_request { # XXX clean these up eventually delete $::COOKIE{"Bugzilla_login"}; # NB - Can't delete from $cgi->cookie, so the logincookie data will - # remain there; it's only used in Bugzilla::Auth::Login::CGI->logout anyway + # remain there; it's only used in Bugzilla::Auth::CGI->logout anyway # People shouldn't rely on the cookie param for the username # - use Bugzilla->user instead! } diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm index e6cf27963b..dcea8189a0 100644 --- a/Bugzilla/Auth.pm +++ b/Bugzilla/Auth.pm @@ -18,7 +18,6 @@ # Rights Reserved. # # Contributor(s): Bradley Baetz -# Erik Stambaugh package Bugzilla::Auth; @@ -27,25 +26,19 @@ use strict; use Bugzilla::Config; use Bugzilla::Constants; -# This is here for lack of a better place for it. I considered making it -# part of the user object, but that object doesn't necessarily point to a -# currently authenticated user. -# -# I'm willing to accept suggestions for somewhere else to put it. -my $current_verify_method = undef; - -# 'inherit' from the main verify method +# 'inherit' from the main loginmethod BEGIN { - for my $verifymethod (split /,\s*/, Param("user_verify_method")) { - if ($verifymethod =~ /^([A-Za-z0-9_\.\-]+)$/) { - $verifymethod = $1; + my $loginmethod = Param("loginmethod"); + if ($loginmethod =~ /^([A-Za-z0-9_\.\-]+)$/) { + $loginmethod = $1; } else { - die "Badly-named user_verify_method '$verifymethod'"; + die "Badly-named loginmethod '$loginmethod'"; } - require "Bugzilla/Auth/Verify/" . $verifymethod . ".pm"; + require "Bugzilla/Auth/" . $loginmethod . ".pm"; - } + our @ISA; + push (@ISA, "Bugzilla::Auth::" . $loginmethod); } # PRIVATE @@ -68,46 +61,6 @@ sub get_netaddr { return join(".", unpack("CCCC", pack("N", $addr))); } -# This is a replacement for the inherited authenticate function -# go through each of the available methods for each function -sub authenticate { - my $self = shift; - my @args = @_; - my @firstresult = (); - my @result = (); - for my $method (split /,\s*/, Param("user_verify_method")) { - $method = "Bugzilla::Auth::Verify::" . $method; - @result = $method->authenticate(@args); - @firstresult = @result unless @firstresult; - - if (($result[0] != AUTH_NODATA)&&($result[0] != AUTH_LOGINFAILED)) { - $current_verify_method = $method; - return @result; - } - } - @result = @firstresult; - # no auth match - - # see if we can set $current to the first verify method that - # will allow a new login - - for my $method (split /,\s*/, Param("user_verify_method")) { - $method = "Bugzilla::Auth::Verify::" . $method; - if ($method::can_edit->{'new'}) { - $current_verify_method = $method; - } - } - - return @result; -} - -sub can_edit { - if ($current_verify_method) { - return $current_verify_method->{'can_edit'}; - } - return {}; -} - 1; __END__ @@ -125,8 +78,16 @@ used to obtain the data (from CGI, email, etc), and the other set uses this data to authenticate against the datasource (the Bugzilla DB, LDAP, cookies, etc). -Modules for obtaining the data are located under L, and -modules for authenticating are located in L. +The handlers for the various types of authentication +(DB/LDAP/cookies/etc) provide the actual code for each specific method +of authentication. + +The source modules (currently, only +L) then use those methods to do +the authentication. + +I itself inherits from the default authentication handler, +identified by the I param. =head1 METHODS @@ -147,9 +108,7 @@ only some addresses. =head1 AUTHENTICATION Authentication modules check a user's credentials (username, password, -etc) to verify who the user is. The methods that C uses for -authentication are wrappers that check all configured modules (via the -C and C) in sequence. +etc) to verify who the user is. =head2 METHODS @@ -216,36 +175,19 @@ Note that this argument is a string, not a tag. =back -=item C - -This scalar gets populated with the full name (eg., -C) of the verification method being used by the -current user. If no user is logged in, it will contain the name of the first -method that allows new users, if any. Otherwise, it carries an undefined -value. - =item C -This determines if the user's account details can be modified. It returns a -reference to a hash with the keys C, C, and C, -which determine whether their respective profile values may be altered, and -C, which determines if new accounts may be created. - -Each user verification method (chosen with C has -its own set of can_edit values. Calls to can_edit return the appropriate -values for the current user's login method. - -If a user is not logged in, C will contain the values of the first -verify method that allows new users to be created, if available. Otherwise it -returns an empty hash. +This determines if the user's account details can be modified. If this +method returns a C value, then accounts can be created and +modified through the Bugzilla user interface. Forgotten passwords can +also be retrieved through the L. =back =head1 LOGINS A login module can be used to try to log in a Bugzilla user in a -particular way. For example, -L +particular way. For example, L logs in users from CGI scripts, first by using form variables, and then by trying cookies as a fallback. @@ -308,5 +250,5 @@ user-performed password changes. =head1 SEE ALSO -L, L, L +L, L, L diff --git a/Bugzilla/Auth/Login/CGI.pm b/Bugzilla/Auth/CGI.pm similarity index 95% rename from Bugzilla/Auth/Login/CGI.pm rename to Bugzilla/Auth/CGI.pm index 2f8ca071db..471e538e94 100644 --- a/Bugzilla/Auth/Login/CGI.pm +++ b/Bugzilla/Auth/CGI.pm @@ -25,9 +25,8 @@ # Gervase Markham # Christian Reis # Bradley Baetz -# Erik Stambaugh -package Bugzilla::Auth::Login::CGI; +package Bugzilla::Auth::CGI; use strict; @@ -50,7 +49,7 @@ sub login { my $username = $cgi->param("Bugzilla_login"); my $passwd = $cgi->param("Bugzilla_password"); - my $authmethod = Param("user_verify_method"); + my $authmethod = Param("loginmethod"); my ($authres, $userid, $extra, $info) = Bugzilla::Auth->authenticate($username, $passwd); @@ -99,11 +98,11 @@ sub login { $username = $cgi->cookie("Bugzilla_login"); $passwd = $cgi->cookie("Bugzilla_logincookie"); - require Bugzilla::Auth::Login::CGI::Cookie; + require Bugzilla::Auth::Cookie; my $authmethod = "Cookie"; ($authres, $userid, $extra) = - Bugzilla::Auth::Login::CGI::Cookie->authenticate($username, $passwd); + Bugzilla::Auth::Cookie->authenticate($username, $passwd); # If the data for the cookie was incorrect, then treat that as # NODATA. This could occur if the user's IP changed, for example. @@ -144,7 +143,7 @@ sub login { { 'target' => $cgi->url(-relative=>1), 'form' => \%::FORM, 'mform' => \%::MFORM, - 'caneditaccount' => Bugzilla::Auth->can_edit->{'new'}, + 'caneditaccount' => Bugzilla::Auth->can_edit, } ) || ThrowTemplateError($template->error()); @@ -234,7 +233,7 @@ __END__ =head1 NAME -Bugzilla::Auth::Login::CGI - CGI-based logins for Bugzilla +Bugzilla::Auth::CGI - CGI-based logins for Bugzilla =head1 SUMMARY @@ -247,7 +246,7 @@ Users are first authenticated against the default authentication handler, using the CGI parameters I and I. If no data is present for that, then cookies are tried, using -L. +L. =head1 SEE ALSO diff --git a/Bugzilla/Auth/Login/CGI/Cookie.pm b/Bugzilla/Auth/Cookie.pm similarity index 93% rename from Bugzilla/Auth/Login/CGI/Cookie.pm rename to Bugzilla/Auth/Cookie.pm index 9c0e2e5660..b50acbe242 100644 --- a/Bugzilla/Auth/Login/CGI/Cookie.pm +++ b/Bugzilla/Auth/Cookie.pm @@ -26,7 +26,7 @@ # Christian Reis # Bradley Baetz -package Bugzilla::Auth::Login::CGI::Cookie; +package Bugzilla::Auth::Cookie; use strict; @@ -93,7 +93,7 @@ __END__ =head1 NAME -Bugzilla::Auth::Login::CGI::Cookie - cookie authentication for Bugzilla +Bugzilla::Cookie - cookie authentication for Bugzilla =head1 SUMMARY @@ -108,8 +108,8 @@ restricted to certain IP addresses as a security meaure. The exact restriction can be specified by the admin via the C parameter. This module does not ever send a cookie (It has no way of knowing when a user -is successfully logged in). Instead L handles this. +is successfully logged in). Instead L handles this. =head1 SEE ALSO -L, L +L, L diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/DB.pm similarity index 93% rename from Bugzilla/Auth/Verify/DB.pm rename to Bugzilla/Auth/DB.pm index 4db34b5cf1..dee3b5db9b 100644 --- a/Bugzilla/Auth/Verify/DB.pm +++ b/Bugzilla/Auth/DB.pm @@ -25,9 +25,8 @@ # Gervase Markham # Christian Reis # Bradley Baetz -# Erik Stambaugh -package Bugzilla::Auth::Verify::DB; +package Bugzilla::Auth::DB; use strict; @@ -35,15 +34,6 @@ use Bugzilla::Config; use Bugzilla::Constants; use Bugzilla::Util; -# can_edit is now a hash. - -my $can_edit = { - 'new' => 1, - 'userid' => 0, - 'login_name' => 1, - 'realname' => 1, -}; - sub authenticate { my ($class, $username, $passwd) = @_; @@ -71,6 +61,8 @@ sub authenticate { return (AUTH_OK, $userid); } +sub can_edit { return 1; } + sub get_id_from_username { my ($class, $username) = @_; my $dbh = Bugzilla->dbh; @@ -119,7 +111,7 @@ __END__ =head1 NAME -Bugzilla::Auth::Verify::DB - database authentication for Bugzilla +Bugzilla::Auth::DB - database authentication for Bugzilla =head1 SUMMARY diff --git a/Bugzilla/Auth/Verify/LDAP.pm b/Bugzilla/Auth/LDAP.pm similarity index 95% rename from Bugzilla/Auth/Verify/LDAP.pm rename to Bugzilla/Auth/LDAP.pm index 737827ee04..c34c3698fe 100644 --- a/Bugzilla/Auth/Verify/LDAP.pm +++ b/Bugzilla/Auth/LDAP.pm @@ -25,9 +25,8 @@ # Gervase Markham # Christian Reis # Bradley Baetz -# Erik Stambaugh -package Bugzilla::Auth::Verify::LDAP; +package Bugzilla::Auth::LDAP; use strict; @@ -36,15 +35,6 @@ use Bugzilla::Constants; use Net::LDAP; -# can_edit is now a hash. - -my $can_edit = { - 'new' => 0, - 'userid' => 0, - 'login_name' => 0, - 'realname' => 0, -}; - sub authenticate { my ($class, $username, $passwd) = @_; @@ -166,13 +156,15 @@ sub authenticate { return (AUTH_OK, $userid); } +sub can_edit { return 0; } + 1; __END__ =head1 NAME -Bugzilla::Auth::Verify::LDAP - LDAP based authentication for Bugzilla +Bugzilla::Auth::LDAP - LDAP based authentication for Bugzilla This is an L for Bugzilla, which logs the user in using an LDAP directory. diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm index d73f22875c..b568918e37 100644 --- a/Bugzilla/Config.pm +++ b/Bugzilla/Config.pm @@ -25,7 +25,6 @@ # J. Paul Reed # Bradley Baetz # Christopher Aillon -# Erik Stambaugh package Bugzilla::Config; @@ -218,12 +217,6 @@ sub UpdateParams { $param{'loginmethod'} = $param{'useLDAP'} ? "LDAP" : "DB"; } - # set verify method to whatever loginmethod was - if (exists $param{'loginmethod'} && !exists $param{'user_verify_method'}) { - $param{'user_verify_method'} = $param{'loginmethod'}; - delete $param{'loginmethod'}; - } - # --- DEFAULTS FOR NEW PARAMS --- foreach my $item (@param_list) { diff --git a/checksetup.pl b/checksetup.pl index 9961009e85..51a1bb2f4a 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -27,7 +27,6 @@ # Bradley Baetz # Tobias Burnus # Gervase Markham -# Erik Stambaugh # # # Direct any questions on this source code to @@ -1493,12 +1492,10 @@ END { $dbh->disconnect if $dbh } # Check for LDAP ########################################################################### -for my $verifymethod (split /,\s*/, Param('user_verify_method')) { - if ($verifymethod eq 'LDAP') { - my $netLDAP = have_vers("Net::LDAP", 0); - if (!$netLDAP && !$silent) { - print "If you wish to use LDAP authentication, then you must install Net::LDAP\n\n"; - } +if (Param('loginmethod') eq 'LDAP') { + my $netLDAP = have_vers("Net::LDAP", 0); + if (!$netLDAP && !$silent) { + print "If you wish to use LDAP authentication, then you must install Net::LDAP\n\n"; } } diff --git a/defparams.pl b/defparams.pl index b067d583a6..6861d04476 100644 --- a/defparams.pl +++ b/defparams.pl @@ -25,7 +25,6 @@ # J. Paul Reed # Bradley Baetz # Joseph Heenan -# Erik Stambaugh # # This file defines all the parameters that we have a GUI to edit within @@ -128,7 +127,7 @@ sub check_netmask { return ""; } -sub check_user_verify_method { +sub check_loginmethod { # doeditparams traverses the list of params, and for each one it checks, # then updates. This means that if one param checker wants to look at # other params, it must be below that other one. So you can't have two @@ -137,20 +136,18 @@ sub check_user_verify_method { # the login method as LDAP, we won't notice, but all logins will fail. # So don't do that. - my ($list, $entry) = @_; - for my $method (split /,\s*/, $list) { - my $res = check_multi($method, $entry); - return $res if $res; - if ($method eq 'DB') { - # No params - } elsif ($method eq 'LDAP') { - eval "require Net::LDAP"; - return "Error requiring Net::LDAP: '$@'" if $@; - return "LDAP servername is missing" unless Param("LDAPserver"); - return "LDAPBaseDN is empty" unless Param("LDAPBaseDN"); - } else { - return "Unknown user_verify_method '$method' in check_user_verify_method"; - } + my ($method, $entry) = @_; + my $res = check_multi($method, $entry); + return $res if $res; + if ($method eq 'DB') { + # No params + } elsif ($method eq 'LDAP') { + eval "require Net::LDAP"; + return "Error requiring Net::LDAP: '$@'" if $@; + return "LDAP servername is missing" unless Param("LDAPserver"); + return "LDAPBaseDN is empty" unless Param("LDAPBaseDN"); + } else { + return "Unknown loginmethod '$method' in check_loginmethod"; } return ""; } @@ -435,40 +432,9 @@ sub find_languages { default => '', }, - # in the future: - # - # user_verify_method and user_info_method should have choices gathered from - # whatever sits in their respective directories - # - # rather than comma-separated lists, these two should eventually become - # arrays, but that requires alterations to editparams first - - { - name => 'user_info_method', - desc => 'Methods to be used for gathering a user\'s login information. - - More than one may be selected. If the first one returns nothing, - the second is tried, and so on.
- The types are: -
-
CGI
-
- Asks for username and password via CGI form interface. -
-
', - type => 's', - choices => [ 'CGI' ], - default => 'CGI', - checker => \&check_multi - }, - { - name => 'user_verify_method', - desc => 'Methods to be used for verifying (authenticating) information - gathered by user_info_method. - More than one may be selected. If the first one cannot find the - user, the second is tried, and so on.
- The types are: + name => 'loginmethod', + desc => 'The type of login authentication to use:
DB
@@ -484,9 +450,9 @@ sub find_languages {
', type => 's', - choices => [ 'DB', 'LDAP', 'DB,LDAP', 'LDAP,DB' ], + choices => [ 'DB', 'LDAP' ], default => 'DB', - checker => \&check_user_verify_method + checker => \&check_loginmethod }, { diff --git a/editusers.cgi b/editusers.cgi index fa3efbf8fe..826bb4b342 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -23,7 +23,6 @@ # Joe Robins # Dan Mosedale # Joel Peshkin -# Erik Stambaugh # # Direct any questions on this source code to # @@ -115,11 +114,15 @@ sub EmitFormElements ($$$$) if ($editall) { print "\n"; print " Password:\n"; + if(!Bugzilla::Auth->can_edit) { + print " This site's authentication method does not allow password changes through Bugzilla!\n"; + } else { print qq|
(enter new password to change) |; + } print "\n"; print " Disable text:\n"; @@ -206,7 +209,7 @@ sub EmitFormElements ($$$$) sub PutTrailer (@) { my (@links) = ("Back to the index"); - if($editall) { + if($editall && Bugzilla::Auth->can_edit) { push(@links, "add a new user"); } @@ -358,7 +361,7 @@ if ($action eq 'list') { } print ""; } - if ($editall) { + if ($editall && Bugzilla::Auth->can_edit) { print "\n"; my $span = $candelete ? 3 : 2; print qq{ @@ -392,6 +395,12 @@ if ($action eq 'add') { exit; } + if(!Bugzilla::Auth->can_edit) { + print "The authentication mechanism you are using does not permit accounts to be created from Bugzilla"; + PutTrailer(); + exit; + } + print "
\n"; print "\n"; @@ -423,6 +432,12 @@ if ($action eq 'new') { exit; } + if (!Bugzilla::Auth->can_edit) { + print "This site's authentication mechanism does not allow new users to be added."; + PutTrailer(); + exit; + } + # Cleanups and valididy checks my $realname = trim($::FORM{realname} || ''); # We don't trim the password since that could falsely lead the user @@ -799,7 +814,7 @@ if ($action eq 'update') { # Update the database with the user's new password if they changed it. - if ( $editall && $password ) { + if ( Bugzilla::Auth->can_edit && $editall && $password ) { my $passworderror = ValidatePassword($password); if ( !$passworderror ) { my $cryptpassword = SqlQuote(Crypt($password)); diff --git a/t/Support/Files.pm b/t/Support/Files.pm index de5b598c58..ffadc562c4 100644 --- a/t/Support/Files.pm +++ b/t/Support/Files.pm @@ -29,7 +29,7 @@ package Support::Files; @additional_files = (); %exclude_deps = ( 'XML::Parser' => ['importxml.pl'], - 'Net::LDAP' => ['Bugzilla/Auth/Verify/LDAP.pm'], + 'Net::LDAP' => ['Bugzilla/Auth/LDAP.pm'], );